To Read All Of The Privacy Policies You Encounter, You'd Need To Take A Month Off From Work Each Year

from the get-busy-reading dept

We've discussed the stupidity of privacy policies many times in the past. Honestly, it's an idea that serves no useful purpose, yet most sites are required to have one, and if you don't, people get all upset. But no one reads them, and most people incorrectly assume that if a site has any privacy policy, they must keep data private.

The reality is that the incentives of a privacy policy are to not use it to keep your info private. In fact, the incentives are to make a privacy policy as permissive as possible. Because the only time you get in trouble is not if you fail to protect someone's privacy... but if you violate your own privacy policy. So companies have the incentive to write a privacy policy that is as permissive to the company as possible, so that they're less likely to avoid violating their own privacy policy. That is, conceptually, the best privacy policy for a company is one that says "we don't take your privacy seriously at all and share all your data," because then they'll never break that policy. Of course, companies don't go that far, because that's pretty extreme -- but it does lead to vague privacy policies that no one reads anyway. Oh, and even when people do read them, almost no one understands them.

In fact, a new report notes that if you actually bothered to read all the privacy policies you encounter on a daily basis, it would take you 250 working hours per year -- or about 30 workdays. The full study (pdf) by Aleecia M. McDonald and Lorrie Faith Cranor is quite interesting. They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words) and recognize that at a standard reading pace of 250 words per minute, most privacy policies take about eight to ten minutes to read. They also ran some tests to figure out how long it actually takes people to read and/or skim privacy policies.

They put all of this together and estimated that it would normally take a person about 244 hours per year to read every new privacy policy they encountered... and even 154 hours just to skim them. They used some variables to create a lower and upper bound estimate as well:

They then go further to try to estimate the cost to the economy of all this privacy policy reading, but I always finds such extrapolations to be pretty meaningless. They assume a constant return on time, so just like bogus studies about how much personal surfing "costs" the economy, those figures seem totally meaningless. But the amount of time estimates do seem completely valid.

And, here's the thing: that's only for privacy policies. Imagine if you read terms of service and end user license agreements too... Of course, sometimes those include little hidden gems. Like the time a company put a clause in its EULA that the first person to read that clause and contact them would get $1,000. It only took four months for someone to actually spot it.

Re:

Moving into a place with a HOA is a suckers bet. Gee let me have some ahole with nothing better to do than call the police because i put my trash out on Saturday because I was not going to be home on Sunday, or have some cop put a notice on my door because he thinks my grass is too high, or when they put no parking signs on a street that a fire truck could do a 3 point turn on, or they cut all the trees and grass on the hill behind me to make what my wife and myself called the ass-hill. Yeah, no thanks, if I wanted to be a renter I would still do so. Glad I sold that beautiful house in a communist community. Never again.

Re:

It's funny how some of these agreements make you scroll all the way to the bottom first, check the I accept checkbox, and click the next button before they allow you to continue. Since this is an attempt to ensure I actually read the agreement, the software must think I read really fast.

No one really reads these things. Maybe next time they can ensure a minimal amount of time elapses before I click the next button to ensure I've had time to actually read it. Then I can leave the screen and go get some tea while the time is elapsing and when the time has elapsed, I'll come back and click next. Unless they figure out a way to make sure I'm not idle by ensuring mouse movement within the application. Then that would suck and I'll have to figure a work around.

Re: Re:

From Snowcrash regarding the Gov and a similar idea:

"Y.T.'s mom pulls up the new memo, checks the time, and starts reading it. The estimated reading time is 15.62 minutes. Later, when Marietta does her end-of-day statistical roundup, sitting in her private office at 9:00 P.M., she will see the name of each employee and next to it, the amount of time spent reading this memo, and her reaction, based on the time spent, will go something like this:

Less than 10 mm. Time for an employee conference and possible attitude counseling.

10-14 min. Keep an eye on this employee; may be developing slipshod attittide.

14-15.61 mm. Employee is an efficient worker, may sometimes miss important details.

Exactly 15.62 mm. Smartass. Needs attitude counseling.

15.63-16 mm. Asswipe. Not to be trusted.

16-18 mm. Employee is a methodical worker, may sometimes get hung up on minor details.

More than 18 mm. Check the security videotape, see just what this employee was up to (e.g., possible unauthorized restroom break).

Y.T.'s mom decides to spend between fourteen and fifteen minutes reading the memo. It's better for younger workers to spend too long, to show that they're careful, not cocky. It's better for older workers to go a little fast, to show good management potential. She's pushing forty. She scans through the memo, hitting the Page Down button at reasonably regular intervals, occasionally paging back up to pretend to reread some earlier section. The computer is going to notice all this. It approves of rereading. It's a small thing, but over a decade or so this stuff really shows up on your work-habits summary."

I can understand the the need for nearly unreadable privacy policies of most sites in that there is NO way to keep people's people's data completely and totally private. Things like buggy code and too many people's tendency to share far too much of their own information making it easy to trace or track them. But, as Mike says, the whole idea is to make it as permissive as possible so that some "helpful" employee doesn't violate them.

That and they're written up in dense legalese that satisfies judges, privacy commissioners and so on that they're actually doing the minimum allowed by law.

They're kinda like the parking stub that says they'll rent you a space for a couple of hours but the owners of the lot aren't responsible if someone drives off with your Jag.

Companies don't put up "we don't take your privacy seriously at all and share all your data" in their privacy policy because then the rare visitors who bother to click on it would raise a stink.

Instead, they put up 50 pages of legalese that translates to: "we don't take your privacy seriously at all and share all your data," ensuring even the one in a million guy who's actually bored enough to try to read it probably won't understand a word.

Median

They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words)...

Wrong. Median is defined as exactly halfway between the minimum and maximum observed value. So, in this case, 3906.5 words, which I'd be much more likely to approximate as "around 4000 words" than as "around 2500 words".

Mean is the average of all the values. It's more likely that this is what was "around 2500 words".

Mode is the individual number that comes up the most often.

If you had 99 copies of a document saying "the quick brown fox jumped over the lazy dog" and one document of 100,000 words, you'd have these values for word count statistics:

Re: Median

The median of a finite list of numbers can be found by arranging all the observations from lowest value to highest value and picking the middle one. If there is an even number of observations, then there is no single middle value; the median is then usually defined to be the mean of the two middle values.

Hi I make up definitions to words and attack you for not knowing the meaning of them

Re: Median

Re: Median

But the median is the middle observed value in the results, not the actual middle. If the inter quartile range was down in the 2500 word region (for the sake of argument between 1500 and 2800) and between there and 7669 words were just a few results, then the median could be significantly lower than 4000.

Creative Commons for Licensing?

Maybe standardization could help here. Most people don't read the full-text of a CC license, but they might check out the "short" version or recognize the icons floating around.

But all in all, a hard problem. People's privacy expectations on websites are informed by a mix of the UI design and their experiences with other websites. And the idea of being used over a misleading UI would terrify any designer.